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Additional Diffie-Hellman Groups for Use with IETF Standards 
Status of This Memo 


This memo provides information for the Internet community. It does 
not specify an Internet standard of any kind. Distribution of this 
memo is unlimited. 


Abstract 


This document describes eight Diffie-Hellman groups that can be used 
in conjunction with IETF protocols to provide security for Internet 
communications. The groups allow implementers to use the same groups 
with a variety of security protocols, e.g., SMIME, Secure SHell 
(SSH), Transport Layer Security (TLS), and Internet Key Exchange 
(IKE). 


All of these groups comply in form and structure with relevant 
standards from ISO, ANSI, NIST, and the IEEE. These groups are 
compatible with all IETF standards that make use of Diffie-Hellman or 
Elliptic Curve Diffie-Hellman cryptography. 


These groups and the associated test data are defined by NIST on 
their web site [EX80056A], but have not yet (as of this writing) been 
published in a formal NIST document. Publication of these groups and 
associated test data, as well as describing how to use Diffie-Hellman 
and Elliptic Curve Diffie-Hellman for key agreement in all of the 
protocols cited below, in one RFC, will facilitate development of 
interoperable implementations and support the Federal Information 
Processing Standard (FIPS) validation of implementations that make 
use of these groups. 
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1. Introduction 


This document provides parameters and test data for several 
Diffie-Hellman (D-H) groups that can be used with IETF protocols that 
employ D-H keys, (e.g., IKE, TLS, SSH, and SMIME) and with IETF 
standards, such as Public Key Infrastructure for X.509 Certificates 
(PKIX) (for certificates that carry D-H keys). These groups 
complement others already documented for the IETF, including the 
"Oakley" groups defined in RFC 2409 [RFC2409] for use with IKEvl, and 
several additional D-H groups defined later, e.g., [RFC3526] and 
[RFC4492]. 
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The initial impetus for the definition of D-H groups (in the IETF) 
arose in the IPsec (IKE) context, because of the use of an ephemeral, 
unauthenticated D-H exchange as the starting point for that protocol. 
RFC 2409 defined five standard Oakley Groups: three modular 
exponentiation groups and two elliptic curve groups over GF[2‘N]. 

One modular exponentiation group (768 bits - Oakley Group 1) was 
declared to be mandatory for all IKEvl implementations to support, 
while the other four were optional. Sixteen additional groups 
subsequently have been defined and registered with IANA for use with 
IKEv1, including eight that have also been registered for use with 
IKEv2. All of these additional groups are optional in the IKE 
context. Of the twenty-one groups defined so far for use with IKE, 
eight are MODP groups (exponentiation groups modulo a prime), ten are 
EC2N groups (elliptic curve groups over GF[2*°N]), and three are ECP 
groups (elliptic curve groups over GF[P]). 


The purpose of this document is to provide the parameters and test 
data for eight additional groups, in a format consistent with 
existing RFCs along with instructions on how these groups can be used 
with IETF protocols such as SMIME, SSH, TLS, and IKE. Three of these 
groups were previously specified for use with IKE [RFC4753], and five 
of these groups were previously specified for use with TLS [RFC4492]. 
(The latter document does not provide or reference test data for the 
specified groups). By combining the specification of all eight 
groups with test data and instructions for use in a variety of 
protocols, this document serves as a resource for implementers who 
may wish to offer the same Diffie-Hellman groups for use with 
multiple IETF protocols. 


All of these groups are compatible with applicable ISO [ISO-14888-3], 
ANSI [X9.62], and NIST [NIST80056A] standards for Diffie-Hellman key 


exchange. These groups and the associated test data are defined by 
NIST on their web site [EX80056A], but have not yet (as of this 
writing) been published in a formal NIST document. Publication of 


these groups with associated test data as an RFC will facilitate 
development of interoperable implementations and support FIPS 
validation of implementations that make use of these groups. 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
document are to be interpreted as described in RFC 2119 [RFC2119]. 
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This section contains the specification for eight groups for use in 


There are three standard prime modulus groups 
All groups were taken from 


publications of the National Institute of Standards and Technology, 


52C99FBC 
9838EF1E 
ACCBDD7D 
FAA31A4F 
E68CFDA7 


F8104DD2 
777E690F 
D7FBD7D3 
1DBFOAO1 
858F4DCE 


FBO6A3C6 
2EE652C0 
90C4BD70 
F55BCCCO 
6D4DA708 


58AC507F 
5504F213 
B9A92EE1 
69B6A28A 
F97C2A24 


2. Additional Diffie-Hellman Groups 
IKE, TLS, SSH, etc. 
and five elliptic curve groups. 
specifically [DSS] and [NIST80056A]. 
provided in Appendix A. 
2.1. 1024-bit MODP Group with 160-bit Prime Order Subgroup 
The hexadecimal value of the prime is: 
p = B10B8F96 A080E01D DE92DE5E AE5D54EC 
9A6A9DCA 52D23B61 6073E286 75A23D18 
13ECB4AE A9061123 24975C3C D49B83BF 
98488E9C 21947372 4EFFD6FA E5644738 
A151AF5F 0DC8B4BD 45BF37DF 365C1A65 
DF1FB2BC 2E4A4371 
The hexadecimal value of the generator is: 
g = A4D1CBD5 C3FD3412 6765A442 EFB99905 
D6406CFF 14266D31 266FEA1E 5C41564B 
160217B4 BO1B886A 5E91547F 9E2749F4 
909D0D22 63F80A76 A6A24C08 7TAO91F53 
D662A4D1 8E73AFA3 2D779D59 18D08BC8 
855E6EEB 22B3B2E5 
The generator generates a prime-order subgroup of size: 
q = F518AA87 81A8DF27 8ABA4E7D 64B7CB9D 49462353 
222s 


The hexadecimal value of the prime is: 


AD107E1E 
B54B1597 
EB3D688A 
9037C9ED 
C9F98D11 
B3BF8A31 
278273C7 
CDF 93ACC 
BE60E69C 
C9B53DCF 
CF 9DE538 


P 
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9123A9D0 
B61D0A75 
309C180E 
EFDA4DF8 
ED34DBF 6 
70918836 
DE31EFDC 
44328387 
C928B2B9 
4BA80A29 
4E71B81C 


D660FAA7 
E6FA141D 
1DE6B85A 
D91E8FEF 
C6BAOB2C 
81286130 
7310F712 
315D75E1 
C52172E4 
E3FB73C1 
OAC4DFFE 


9559C51F 
F95A56DB 
1274A0A6 
55B7394B 
8BBC27BE 
C8985DB 
FD5A074 
8C641A4 
3042E9B 
B8E75B9 


DROP 


A20D64E5 
AF9A3C40 
6D3F8152 
7AD5B7DO 
6A00EOA0 
1602E714 
15987D9A 
80CD86A1 
23F10B0E 


2048-bit MODP Group with 224-bit Prime Order Subgroup 


683B9FD1 
7BA1DF15 
AD6AC212 
B6C12207 
B9C49708 
415D9330 
DCOA486D 
B9E587E8 
16E79763 


7EF363E2 


0C10E64F 
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FFA31F71 


Test data for each group is 
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The hexadecimal value of the generator is: 


g 


AC4032EF 
74866A08 
AB739D77 
C1766910 
E2471504 
F180EB34 
BB77A86F 
10E183ED 
B53 9CCE3 
EDFE72FE 
81BC087F 


The generator 


q 


3. 


801C0D34 
B36371EB 


4F2D9AE3 
CFE4FFE3 
00C29F52 
1999024A 
22EA1ED4 
118E98D1 
OC1AB15B 
D19963DD 
409D13CD 
9B6AA4BD 
2A7065B3 


9DF30B5C 
A6824A4E 
C57DB17C 
F4D02727 
09939D54 
19529A45 
051AE3D4 
D9E263E4 
566AFBB4 
7B5A0F1C 
84B890D3 


8FFDAC50 
10B9A6F0 
620A8652 
5AC1348B 
DA7460CD 
D6F83456 
28C8F8AC 
770589EF 


6CDEBE7B 
DD921F01 
BE5E9001 
B8A762D0 
BSF 6C6B2 
6E3025E3 
B70A8137 
6AA21E7F 


8D6C0191 
71CFFF4C 
191F2BFA 


81E1BCFE 
19C418E1 


generates a prime-order subgroup of 


C58D93FE 99717710 1F80535A 4738CEBC 


The hexadecimal value 


P 


87A8E61D 
5D2CEED4 
16C3D911 
5A8A9D30 
6C5BFC11 
4FDB70C5 
F13C6D9A 
67E144E5 
COB857F6 
71526375 
6938 77FA 
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B4B6663C 
435E3B00 
34096FAA 
6BCF67ED 
D45F9088 
81B23F76 
51BFA4AB 
14056425 
89962856 
D7014103 
D7EFO9CA 


of the prime is: 


FFBBD19C 
EOODF8F1 
3BF4296D 
91F9E672 
B941F54E 


65195999 
D61957D4 
830E9A7C 
5B4758C0 
B1E59BB8 


8CEEF 608 
FAF7DF45 
209E0C64 
22E0B1EF 
BC39A0BF 


B63ACAE1 
3AD83477 
1CCACB83 
DED4010A 
A4B54330 
DBO 94AE9 


CAA6B790 
96524D8E 
E6B486F6 
BDOBE621 
C198AF12 
1£1A1597 


Informational 


2D525267 
F6A167B5 
B3CA3F79 
C3A3960A 
6116D227 


January 2008 


89998CAF 
ATOC4AFA 
A8D66AD7 
521BC98A 
50717CBE 
16A330EF 
150B8EEB 
5F2FF381 
94B30269 
F6ECO179 


size: 


BF389A99 


2048-bit MODP Group with 256-bit Prime Order Subgroup 


660DDO0F2 
61B2AA30 
97517ABD 
42 75BE7B 
12307F5C 
35488A0E 
A41825D9 
71506026 
54E710C3 
6E11715F 
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The hexadecimal value of the generator is: 


g = 3FB32C9B 73134D0B 2E775066 60EDBD48 4CA7B18F 21EF2054 
07F4793A 1A0BA125 10DBC150 77BE463F FF4FED4A ACOBB555 
BE3A6C1B 0C6B47B1 BC3773BF JE8C6F62 901228F8 C28CBB18 
A55AE313 41000A65 0196F931 C77A57F2 DDF463E5 E9EC144B 
777DE62A AAB8A862 8AC376D2 82D6ED38 64E67982 428EBC83 
1D14348F 6F2F9193 B5045AF2 767164E1 DFC967C1 FB3F2E55 
A4BD1BFF E83B9C80 DO52B985 D182EA0A DB2A3B73 13D3FE14 
C8484B1E 052588B9 B7D2BBD2 DF016199 ECDO6E15 57CD0915 
B3353BBB 64E0EC37 7FD02837 0DF92B52 C7891428 CDC67EB6 
184B523D 1DB246C3 2F630784 90FOOEF8 D647D148 D4795451 
5E2327CF EF98C582 664B4COF 6CC41659 


The generator generates a prime-order subgroup of size: 


q = 8CF83642 A709A097 B4479976 40129DA2 99B1A47D 1EB3750B 
A308BOFE 64F5FBD3 


2.4. 192-bit Random ECP Group 


The curve is based on the integers modulo the prime p given by: 
p = 2%(192) - 2*%(64) - 1 


Group prime (in hexadecimal): 
p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF FFFFFFFF 


The equation for the elliptic curve is: 
y*2 = x*3 + ax + b (mod p) 


Group curve parameter A (in hexadecimal): 
a = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF FEFFFFEC 


Group curve parameter B (in hexadecimal): 
b = 64210519 E59C80E7 OFATE9AB 72243049 FEB8DEEC C146B9B1 


The generator for this group is given by: g=(gx,gy) where 


188DA801 


Gl 


BO3090F6 “CBF20EB 43A18800 F4FFOAFD 82FF1012 


gx 


gy = 07192B95 FFC8DA78 631011ED 6B24CDD5 73F977A1 1E794811 


Group order (in hexadecimal): 
n = FFFFFFFF FFFFFFFF FFFFFFFF 99DEF836 146BC9B1 B4D22831 
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2.5. 224-bit Random ECP Group 


The curve is based on the integers modulo the prime p given by: 
p = 2%(224) - 2% (96) + 1 


Group prime (in hexadecimal): 
p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 00000000 
00000001 


The equation for the elliptic curve is: 
y*2 = x*3 + ax + b (mod p) 


Group curve parameter A (in hexadecimal): 
a = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF FFFFFFFF 
FFFFFFFE 


Group curve parameter B (in hexadecimal): 
b = B4050A85 OCO4B3AB F5413256 5044B0B7 D7BFD8BA 270B3943 
2355FFB4 


The generator for this group is given by: g=(gx,gy) where 


gx = B70E0CBD 6BB4BF7F 321390B9 4A03C1D3 56C21122 343280D6 
115C1D21 


gy = BD376388 B5F723FB 4C22DFE6 CD4375A0 5A074764 44D58199 
85007E34 


Group Order (in hexadecimal): 
n = FFFFFFFF FFFFFFFF FFFFFFFF FFFF16A2 EO0B8F03E 13DD2945 
5C5C2A3D 


2.6. 256-bit Random ECP Group 


The curve is based on the integers modulo the prime p given by: 
p = 2%(256)-2% (224) +2% (192) +2* (96) -1 


Group prime (in hexadecimal): 
p = FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF 
FFFFFFFF FFFFFFFF 


The equation for the elliptic curve is: 
y^2 = x^3 + ax + b (mod p) 


Group curve parameter A (in hexadecimal): 


a = FFFFFFFF 00000001 00000000 00000000 00000000 FFFFFFFF 
FFFFFFFF FFFFFFFC 
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Group curve parameter B (in hexadecimal): 
b = 5AC635D8 AA3A93E7 B3EBBD55 769886BC 651D06B0 CC53BOF6 
3BCE3C3E 27D2604B 


The generator for this group is given by: g=(gx,gy) where 


6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 
F4A13945 D898C296 


gx 


gy = 4FE342E2 FElA7F9B 8EE7EB4A 7COF9E16 2BCE3357 6B315ECE 
CBB64068 37BF51F5 


Group Order (in hexadecimal): 
n = FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 
F3B9CAC2 FC632551 


2.7. 384-bit Random ECP Group 


The curve is based on the integers modulo the prime p given by: 
p = 2^(384)-2^(128)-2^(96)+2^(32)-1 


Group prime (in hexadecimal): 
p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 
FFFFFFFF FFFFFFFE FFFFFFFF 00000000 00000000 FFFFFFFF 


The equation for the elliptic curve is: 
y^2 = x^3 + ax + b (mod p) 


Group curve parameter A (in hexadecimal): 
a = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 
FFFFFFFF FFFFFFFE FFFFFFFF 00000000 00000000 FFFFFFFC 


Group curve parameter B (in hexadecimal): 
b = B3312FA7 E23EE7E4 988E056B E3F82D19 181D9C6E FE814112 
0314088F 5013875A C656398D 8A2ED19D 2A85C8ED D3EC2AEF 


The generator for this group is given by: g=(gx,gy) where 


gx = AA87CA22 BE8B0537 8EB1C71E F320AD74 6E1D3B62 8BA79B98 
59F741E0 82542A38 5502F25D BF55296C 3A545E38 72760AB7 
gy = 3617DE4A 96262C6F 5D9E98BF 9292DC29 F8F41DBD 289A147C 


E9DA3113 B5F0OB8C0 OA60B1CE 1D7E819D 7A431D7C 90EAOE5F 


Group Order (in hexadecimal): 
n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 
C7634D81 F4372DDF 581A0DB2 48B0A77A ECEC196A CCC52973 
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2.8. 521-bit Random ECP Group 


The curve is based on the integers modulo the prime p given by: 
p = 8° (521) <1 


Group Prime (in hexadecimal): 
p = 000001FF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 


The equation for the elliptic curve is: 
y^2 = x^3 + ax + b (mod p) 


Group curve parameter A (in hexadecimal): 
a = 000001FF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFC 


Group curve parameter B (in hexadecimal): 
b = 00000051 953EB961 8E1C9A1F 929A21A0 B68540EE A2DA725B 
99B315F3 B8B48991 8EF109E1 56193951 EC7E937B 1652C0BD 
3BB1BF07 3573DF88 3D2C34F1 EF451FD4 6B503F00 


The generator for this group is given by: g=(gx,gy) where 


gx = 000000C6 858E06B7 0404E9CD 9E3ECB66 2395B442 9C648139 
053FB521 F828AF60 6B4D3DBA A14B5E77 EFE75928 FE1DC127 
A2FFA8DE 3348B3C1 856A429B F97E7E31 C2E5BD66 


gy = 00000118 39296A78 9%A3BC004 5C8A5FB4 2C7D1BD9 98F54449 
579B4468 17AFBD17 273E662C 97EE7299 5EF42640 C550B901 
3FAD0761 353C7086 A272C240 88BE9476 9FD16650 


Group Order (in hexadecimal): 
n = 000001FF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 
FFFFFFFF FFFFFFFF FFFFFFFA 51868783 BF2F966B 7FCC0148 
F709A5DO 3BB5C9B8 899C47AE BB6FB71E 91386409 


3. Using These Groups with IETF Standards 

3.1. X.509 Certificates 
Representation of both MODP and Elliptic Curve Diffie-Hellman public 
keys (and associated parameters) in X.509 certificates is defined in 


[RFC3279]. The MODP groups defined above MUST be represented via the 
syntax defined in Section 2.3.3, and the elliptic curve groups via 
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the syntax defined in Section in 2.3.5 of that RFC. When a 
Diffie-Hellman public key is encoded in a certificate, if the 
KeyUsage extension is present, the keyAgreement bits MUST be 
asserted, and encipherOnly or decipherOnly (but not both) MAY be 
asserted. 


BaZe TRE 


Use of MODP Diffie-Hellman groups with IKEv2 is defined in [RFC4306], 
and the use of MODP groups with IKEvl is defined in [RFC2409]. 
However, in the case of ECP Diffie-Hellman groups, the format of key 
exchange payloads and the derivation of a shared secret has thus far 
been specified on a group-by-group basis. For the ECP Diffie-Hellman 
groups defined in this document, the key exchange payload format and 
shared key derivation procedure specified in [RFC4753] MUST be used 
(with both IKEv2 and IKEvl). 


In order to use a Diffie-Hellman group with IKE, it is required that 
a transform ID for the group be registered with IANA. The following 
table provides the Transform IDs of each Diffie-Hellman group 
described in this document, as registered in both [IANA-IKE] and 


[IANA-IKE2]. 

NAME | NUMBER 
AA A A A SS AA A A A A AZ A A A AR SSS Se, +- 
1024-bit MODP Group with 160-bit Prime Order Subgroup | 22 
2048-bit MODP Group with 224-bit Prime Order Subgroup | 23 
2048-bit MODP Group with 256-bit Prime Order Subgroup 24 
192-bit Random ECP Group 25 
224-bit Random ECP Group | 26 
256-bit Random ECP Group | T9 
384-bit Random ECP Group | 20 
521-bit Random ECP Group | 21 


3.3. TLS 


Use of MODP Diffie-Hellman groups in TLS 1.1 is defined in [RFC4346]. 
TLS 1.0, the widely deployed predecessor of TLS 1.1, is specified in 
[RFC2246] and is the same as TLS 1.1 with respect to the use of 
(MODP) Diffie-Hellman to compute a pre-Master secret. (Currently, 
the TLS working group is in the process of producing a specification 
for TLS 1.2. It is unlikely that TLS 1.2 will make significant 
changes to the use of Diffie-Hellman, and thus the following will 
likely also be applicable to TLS 1.2). 
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A server may employ a certificate containing (fixed) Diffie-Hellman 
parameters, and likewise for a client using a certificate. Thus, the 
relevant PKIX RFCs (see 3.1 above) are applicable. Alternatively, a 
server may send ephemeral Diffie-Hellman parameters in the server key 
exchange message, where the message signature is verified using an 
RSA- or DSS-signed server certificate. The details for accomplishing 
this for MODP Diffie-Hellman groups are provided in [RFC2246]. 


Use of Elliptic Curve Diffie-Hellman in TLS 1.1 (and 1.0) is defined 
in [RFC4492]. The elliptic curves in this document appear in the 
IANA EC Named Curve Registry [IANA-TLS], although the names in the 
registry are taken from the Standards for Efficient Cryptography 
Group (SECG) specification [SECG] and differ from the names appearing 
in NIST publications. The following table provides the EC Named 
Curve ID for each of the elliptic curves along with both the NIST 
name and the SECG name for the curve. 


NAME (NIST) | NUMBER | NAME (SECG) 
_  _  _Á — EE —— a + 
192-bit Random ECP Group | T9 | secp192r1 
224-bit Random ECP Group | 21 | secp224r1 
256-bit Random ECP Group 23 secp256r1 
384-bit Random ECP Group 24 secp384r1 
521-bit Random ECP Group | 25 | secp521r1 


3.4. SSH 


Use of Diffie-Hellman with SSH was defined initially in [RFC4253]. 
That RFC defined two MODP Diffie-Hellman groups, and called for the 
registration of additional groups via an IANA registry. However, 
[RFC4419] extended the original model to allow MODP Diffie-Hellman 
parameters to be transmitted as part of the key exchange messages. 
Thus, using RFC 4419, no additional specifications (or IANA registry 
actions) are required to enable use of the MODP groups defined in 
this document. At this time, no RFC describes the use of Elliptic 
Curve Diffie-Hellman with SSH. However, [SSH-ECC] provides a 
description of how to make use of Elliptic Curve Diffie-Hellman with 
SSH. 


3.5. SMIME 


Use of Diffie-Hellman in SMIME is defined via a discussion of 
Cryptographic Message Syntax (CMS) enveloped data [RFC3852]. For 
MODP Diffie-Hellman, the appropriate reference is [RFC2631]. This 
specification calls for a sender to extract the Diffie-Hellman (MODP) 
parameters from a recipient’s certificate, and thus the PKIX 
specifications for representation of Diffie-Hellman parameters 
suffice. The sender transmits his public key via the 
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OriginatorldentifierorKey field, or via a reference to the sender's 
certificate. 


Use of Elliptic Curve Diffie-Hellman in CMS is defined in [RFC3278]. 
As with use of MODP Diffie-Hellman in the CMS context, the sender is 
assumed to acquire the recipient’s public key and parameters from a 
certificate. The sender includes his Elliptic Curve Diffie-Hellman 
public key in the KeyAgreeRecipientInfo originator field. (See 
Section 8.2 of RFC 3278 for details of the ECC-CMS-SharedInfo). 


4. Security Considerations 


The strength of a key derived from a Diffie-Hellman exchange using 
any of the groups defined here depends on the inherent strength of 
the group, the size of the exponent used, and the entropy provided by 
the random number generator used. The groups defined in this 
document were chosen to make the work factor for solving the discrete 
logarithm problem roughly comparable to an attack on the subgroup. 


Using secret keys of an appropriate size is crucial to the security 
of a Diffie-Hellman exchange. For modular exponentiation groups, the 
size of the secret key should be equal to the size of q (the size of 
the prime order subgroup). For elliptic curve groups, the size of 
the secret key must be equal to the size of n (the order of the group 
generated by the point g). Using larger secret keys provides 
absolutely no additional security, and using smaller secret keys is 
likely to result in dramatically less security. (See [NIST80056A] 
for more information on selecting secret keys.) 


When secret keys of an appropriate size are used, an approximation of 
the strength of each of the Diffie-Hellman groups is provided in the 
table below. For each group, the table contains an RSA key size and 
symmetric key size that provide roughly equivalent levels of 
security. This data is based on the recommendations in [NIST80057]. 


GROUP | SYMMETRIC | RSA 
SSS Ste OS SS SS Sa SS SS SS SS Se SS SS SS Se a 
1024-bit MODP with 160-bit Prime Subgroup | 80 | 1024 
2048-bit MODP with 224-bit Prime Subgroup | 112 | 2048 
2048-bit MODP with 256-bit Prime Subgroup 112 2048 
192-bit Random ECP Group 80 1024 
224-bit Random ECP Group | 112 | 2048 
256-bit Random ECP Group | 128 | 3072 
384-bit Random ECP Group | 192 | 7680 
521-bit Random ECP Group | 256 | 15360 
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3% 


IANA Considerations 

IANA has taken the following actions: 
Updated the IKE and IKEv2 registries to include the following five 
groups defined in this document: (Note that the other three ECP 
groups defined in this document have already been added to the IKE 
registry). 
o 1024-bit MODP Group with 160-bit Prime Order Subgroup 
o 2048-bit MODP Group with 224-bit Prime Order Subgroup 
o 2048-bit MODP Group with 256-bit Prime Order Subgroup 
o 192-bit Random ECP Group 
o 224-bit Random ECP Group 
Updated [IANA-IKE] and [IANA-IKE2] to reflect the above, which now 
appear as entries in the list of Diffie-Hellman groups given by Group 
Description. The descriptions are as stated above. 
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Test Data 


The test data in this appendix is a protocol-independent subset of 


the test data in [EX80056A]. 
exponentiation groups, 


xA: The secret key of party A 


yA: The public key of party A 


xB: 


yB: 


The secret key of party B 


The public key of party B 


In the test data for the three modular 
we use the following notation: 


Z: The shared secret that results from the Diffie-Hellman 
computation 


In the test data for the five elliptic curve groups, we use the 
following notation: 


dA: 


x_qA: 


y_qA: 


Lepinski & 


The secret value 
The x-coordinate 
The y-coordinate 
The secret value 
The x-coordinate 
The y-coordinate 


The x-coordinate 


of party A 
of the public 
of the public 
of party B 
of the public 
of the public 


of the shared 


Diffie-Hellman computation 


The y-coordinate 


of the shared 


Diffie-Hellman computation 


Kent 


Informational 


key of 


key of 


key of 
key of 


secret 


secret 


party A 


party A 


party B 


party B 


that results from the 


that results form the 
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1024 
xA = 


yA = 


yB 


2048 


xA = 


yA = 


xB 


Lepinski & 


-bit MODP 


B9015B2D 
BABEOE76 
EB10841D 
6D8727DA 
D1DF3701 


A3B93294 
DDD5A56C 
ECCDC3D3 
CO9D6A4E 
E6A3109A 


DF85271F 
CD3E39F3 
7D7D6FBE 
5AOCACED 
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Group with 160-bit Prime Order Subgroup 


B9A3B3AE 8FEFC1A2 93049650 


EB3ED84F 
FFS727FA 
84A73600 
37DF9CCE 
165FC9E5 


9392C9F9 


1C1E5663 
7833F6BC 
B1E4CFAO 
DB46CC2B 
3DA1BE41 


93528C91 
CB614525 
E8D5E8F0 
DEAEAD7E 


5EO21DCC 
8ACCE2 69 
54ECESA7 
95B47875 
0C4279CE 


EB6ATAGA 


F861A1D6 
FDFFO955 
57776CAA 
5D520309 
BDCEAA18 


DF 6B48AB 
D9521D2E 
72E9B6E9 
9CFBB36A 


3E52F109 
56BA9A1F 
F5B7A61A 
5D06BCEA 
B07F9895 


9022F7D8 


AD34AE66 
82AD8 68E 
F9739B6A 
OEAE6126 
6F5CE067 


5F80B3B5 
644C53B8 
AFDA9413 
E2B42083 


BF8FA4DO 


-bit MODP 


DBFFD067 


F8E0D370 
08877C8A 
AC273CD9 
BC8EE858 
1B7BB4D6 
5F17DD36 
B3C926E2 
7EF70697 
8D256F8F 
920AA16D 


C7FC6A6D 


Kent 


9E345525 


167ECD91 


55416F46 


7086F845 


2A853B3D 
D3273D2B 
CA26F202 
D3DFB3C6 
8F9D4596 
40AE96D5 


3E7223C6 


717A6CBO 
576DFB98 
440E8D09 
9FEE8E74 
311E53FD 
16A2B6A0 


5C804F45 
9CAAC1B2 
07B810F3 
EAFB2E8B 
5BD83A19 
F408ED31 


5D48943E 


92197501 
7521281C 
28D8693F 
0D2E4310 
5F75A5F3 
D88ED776 


835BBDDA 


53371FF4 
F6C6CBF9 
FD769E3C 
11F8D6DA 
2C14B574 
7B3C33FE 


4D30D9C4 
8F8ACBA9 
40062F25 
0699B1FB 
FBOB5E96 
B63C6E6D 


Group with 224-bit Prime Order Subgroup 


O8A680F7 


BADDA7A0 
4C0C8E0B 
D635AB0C 
OCEFE243 
9DDOEO1E 
F91ED1EE 
2C4380A3 
9E7E5806 


47F361F7 


1B3A6345 
EFD2FDE7 
D48D4A54 
E006A42A 
968CFC4F 
A387CBAA 
DD65CA4A 
BF309D56 
B17DFAE5 


C97C074A 
85E52BCB 


71D3B363 


861D827E 
AB8D786A 


800A7CDF 


6D8F4F72 


1BD886E6 
D8F66145 
01EB1E87 


1A0548E4 


99E67B49 
CC9F2804 
76BFEEEL 


887E3F52 
8DC3DB08 
5CA672AF 
06455CB9 
849768B7 
3AD2A5BC 
2EBC8C61 
68178FA8 


EF6FC41B 
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FB8766B6 
4554171D 
CBE8BDB9 
4CD40A52 
F52CFDF6 
568EBB52 
34553115 
FF7C2F5C 


4417EA15 


22E62601 
83294B0C 


4E288BD7 
19975EB8 
34C03831 
50F38078 
41BF2E86 
D62D4CE1 
EC360E84 
55FDO53A 
9ATA61D6 
B70E7103 
71648D6F 


4FF3BC96 
353B7590 
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yB = 4DCEE992 A9762A13 F2F83844 AD3D77EE 


0E31C971 
48D99599 
38B20766 
98AA04C4 
0654CC19 
014B037E 
DE894734 
99BEC8EF 
1D44DE48 
27734C18 


074A6313 
229DE7D7 
8ABO3D9D 
994017D0 
6DC31ED5 
7B5A169B 
D8D671C9 
943A1D23 
2FC88CFE 
2995FB03 


2048-bit MODP 


6DC13E61 


42C62FE0 
A35AE13E 


8B3DB6C2 
970622A1 
222B75E2 
A9696CAC 
E28D7703 
B621A2AC 
37AB7BA3 
6FC56117 
946D68DC 
4138E915 


BB4ECDB3 
6732286C 
ECBOA4E4 
200AE2C9 
69A7700B 
DEFFAD7A 
EBD8EC89 
ASEA3BCF 
B92DB6A2 
C69D3CC4 


035D3961 
881BBA2D 
4C2E3AD0 
D7172083 
CEE8DACD 
8E365DE0 
46743C1B 
0C84C87D 
OCDD7776 
D9C3002E 


34D9BDDC 
703FFF42 
BCOF91DA 
CA8B2BB4 
516E2FF5 
4C4AB16B 
D9608284 
544D45EC 
21A01471 
15E5D03C 
7ECB510B 


182C3E0B 
C822939C 
C7287236 
A97A8166 
6126F5D6 
71FFC140 
215DD9C1 
10EE9A67 
35A7AB5B 
BCE53120 


1B42176C 
4567A46B 
4C3C852F 
591C4021 
14577926 
22A45513 
C7795B6D 
061593D4 
E67E003E 
17C464C9 
6998FFD3 


A247EC41 
78C3912C 
129525EE 
4EAD2C47 
65EC52C6 
OACFO77A 
2164A7E4 
4A1FASFF 
FB1E4BB7 
546A7E20 


313FEA03 
DF75530E 
C099C679 
CF8CE3A2 
9E862B0F 
531EF523 
5A5183B8 
42C62AB9 
TE8A69C7 
AC1A46E2 
AA6DE73C 


82D760CD 
6661FA54 
15B5DD79 
9E444E4C 
7255DB92 
12913DD8 
053118D1 
E13BDFBA 
B856F 968 
02142B6C 


4C21034D 
DEOA9DA5 
531D94C7 
0A541D33 
B474A2D5 
D7121207 
7066DE17 
CE3B1CB9 
28BE490B 
03E13F95 
F9F 63869 


Group with 256-bit Prime Order Subgroup 


4938D5B9 


ECE824A6 
4EC752BE 


1FB7EB60 
EÉE4919121 
F544711C 
C7985648 
D9B4CEBC 
7FB1E73A 
85BF6658 
341DC071 


7B13D1AF 
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A63COFE9 
EB5F01C8 
E79A02DC 
7AF5AB02 
937C3C1A 
15AF12A3 
AFF5E4BO 
1426685F 


B82C780D 


C8B2F248 


2E9380C8 
ABDBE66C 
630B92DC 
159FCCE7 
C9BOD3D6 
C3422668 
2A2E5E42 
3E15A8A0 
OD746E06 
93003CBE 
4EF37E86 


83A23BD4 


581CC5E3 


323AF975 
5 9BEE024 
4BDE2 847 
26CE7CD8 
48A93BFB 
4780DDDC 
FO9897C1 
342E3376 
DFC34F29 
AF 665B3C 
8A8126FF 


EE670564 


Informational 


0881382C 
18354543 


45BC4941 
2911BFB9 
A9C62CB8 
523D7450 
715689E82 
B4985941 
A85A11EA 
15C84E7F 
0D797CE5 
2E113A3A 
3F2279B5 


7D62A7E3 
5121F371 


DB87660C 
97FCE50E 


DEBOEC37 
67235CEB 
15274542 
667EF840 
44AC134A 
06C37F5B 
0212AF04 
E3B8B9B8 
1AA13AA7 
4E905269 
TCA67E29 


EF36DE61 
F546A53D 
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yB = 


dA 
x_qA 


y_gA 


1E289D39 
1F131ADD 
2A1A6FD2 
3791AD4E 
CF14826B 
B9D7F407 
9AD9936C 
607331EE 
B63A84D3 
F71BOAB6 


7203DB2A 
4553B78F 
B88F39DC 
52C879BD 
D9D1837F 
6FEE3F95 
8E05BE4D 
84224090 
19BF0501 
B2CEB878 


Additional Diffie-Hellman Groups 


03A30B98 
8E03367E 


575F0351 
32C5741F 
FF 8FBBB3 


BD2B1B81 
A250363E 
El1C57844 


FAB64105 
DD083A97 
5FBE10D3 
BEDOF43A 
8F44137C 
17AF3380 
65F92244 
97823D7D 


19C877F1 
C60330BE 
26DA14A0 
95098504 
2B18F77C 
BB873993 
CFB24052 
E007CEE9 


CA30A674 
8B883EE6 
CE41C6C1 
FB2970F5 
08B180EC 


E07F7809 
18BC5E0D 
20C78AB2 
7F8D1204 
5E985CEB 


7448BDF8 
7ACBC7F7 
24809B25 
85208863 
D047415F 
0008C698 
3963E66D 
E186F3D5 


A725B078 
ED120988 
EBIAFF5B 


86C70BF8 
D1F19FD7 
51EA7C06 
9EF 74774 
CD9EECD8 
D7BEO1AF 
85875D7E 
B83AEFFB 
4D4BF2BA 


F6F17B4A 
9BB8A3BO 


A10F425E 
EA87FEBE 


2317D7DD 
219302F4 
0E8E4A45 


DOBB81BB 
D77EF225 
72CAC151 
D47C762D 
A8F 9B3EF 
80A7C7B5 
86747E67 
14783F02 
CE9FFD4B 
3EA76080 
63B6C8F8 


43F59D7A 
2924C7CA 
D49F7F53 


01078A17 
46A68F00 
5E4B35C0 
D177F 9ED 
BD1F008A 
EA3CA54C 
6E728938 
9ADBDE7F 
57D2AF7C 
B4B9D6B3 
46EC6DBO 
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7A6C362C 
7E3DACBC 
AFE4D226 
2FC04923 
2D95E683 
BF 7FOBCA 
DD320D59 
49677E80 
F9568A9B 
90B89D24 
757E1913 


219CB7D2 
5AD52DC8 
47B9A551 
5BC2F11E 
C5853097 
co2D0c11 
ACBFF709 
53FAE920 
724DOCAA 
CEFEA115 
C26C5D7C 


192-bit Random 


323FA316 


CD46489E 


68887B48 


631F95BB 


519A1216 


FF613AB4 


AD420182 


4371545E 
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ECP Group 


9D8E9C65 


CFD6C105 


77DF51DD 


4A67632C 


80E00454 


D64CEE3A 


633F8526 


D772A597 


93F59476 


E7B3D325 


4DC3D6FD 


9C47 6EEE 


66BA21DF 


20875BDB 


BFE954AC 


41DOEDA3 


BC142000 


66E2B122 


11F0A26F 


9AB695AB 


2EEE47F5 


z 


10F953F6 


DA376F05 


2C671112 
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AB5SBEOE2 


E24 9ABAA 


8FD38443 


240A0499 


973B5005 


B30CA072 


ESFF4F83 


B7FDDD51 


49C43426 


DD870612 


17916E9A 


307FCF 62 


TTEF13D5 


C60AA57F 


7E54FEBE 


461FCF32 
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5C7573E2 


833150E0 


CE3D7C22 


F27F85C8 


D219506D 


3E2609C8 


6DC1714A 


D919BD9C 


81426414 
867B7291 


2AF502F3 
5E8D3B4B 


EBOFAF4C 
COF5015E 


2CE1788E 
EE1B5937 


B120DE4A 
B3AB0715 


9F1B7EEC 
85C34DDE 


DDOF5396 
7F80D21C 
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A.5 224-bit Random ECP Group 
dA = 
288DA707 BBB4F8FB AE2AB9E9 CB62E3BC 
x_qA = 
9F81488C 304CFF5A B3EE5A21 54367DC7 
y_gA = 
5762C4F6 54C1A0C6 7F54CF88 BO16B51B 
dB = 
3D9770E6 F6A708EE 9F3B8EOA B3B480E9 
x_qB = 
8DOCDE6A 5599BE80 32EDF10C 162D0A8A 
y_qB = 
C213A7D1 CA3706DE BFE305F3 61AFCBB3 
x2 = 
F46F4EDC 91515690 92F46DF2 D96ECC3B 
y £ = 
36DDC403 COACB712 BB88F176 3C3046F6 
A.6 256-bit Random ECP Group 
dA = 
E96A8E33 7A128499 3FAF432A 5DABCE59E 
x_qA = 
C9B5A8D4 160D09E9 7165BE50 BC42AE4A 
y_qA = 
8681A0F9 872D79D5 6795BD4B FF6E6DE3 
dB = 
DB95A200 CCOAB26A 19CE6BCC AD562B8E 
x_qB = 
5346E8DE 6C2C8646 AEOGAAEA 279FA775 
y_qB = 
D8EC685F A3F071D8 37270270 92A84113 
x2 = 
93310412 D19A08F1 F5811E9D C8EC8EEA 
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B558EB6C 
2E26D37F 


49DFEF30 
A51F3EEB 


4F2BDEE4 
8D57ADB4 


AC3B1ADD 
8B5E6D18 


6B3AC96A 
CD42A207 


D491BE99 
B1618AD5 


52272F50 
4EA949FA 


5F30C6AA 
524322BF 


5F2F56F2 
D507A3AF 


BE8952F2 
A83AEB15 


A986C4D3 
CESEFD85 


C197E096 
61CF7F41 


A3649279 
F6CE51B0 


E20D7B5E 
5708B2B6 


219D1EA3 
820C2788 
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y-a = 0357DCCD 
8D33AA42 B848834A A5605F9A BOD37239 A115BBB6 
A.7 384-bit Random ECP Group 
dA = D27335EA 71664AF2 44DD14E9 FD126071 5DFD8A79 
D709EE7A 7962A156 D706A90C BCB5DF29 86F05FEA 
x_QA = 793148F1 787634D5 DA4C6D90 74417D05 E057AB62 
OEE6B040 3D627954 TEGABEA9 D1FD7742 7DO16FE2 
y_qA = C6C41294 331D23E6 F480F4FB 4CD40504 C947392E 
6B8F398B B29E4236 8F7A6859 23DE3B67 BACED214 
dB = 52D1791F DB4B70F8 9C0F00D4 56C2F702 3B612526 
1F802311 21CCE3D3 9BE52E00 C194A413 2C4A6C76 
x_qB = 5CD42AB9 C41B5347 F74B8D4E FB708B3D 5B36DB65 
4ABC1764 7B6B9999 789D72A8 4865AE2F 223F12B5 
y_qB = El71458F EAA939AA A3A8BFAC 46B404BD 8F6D5B34 
OCECA163 56CA9332 40BDE872 3415A8EC EO35BOED 
x_Z = SEAIFC4A F7256D20 55981B11 0575E0A8 CAE53160 
59D926EB 1B8456E4 27AA8A45 40884C37 DE159A58 
y_Z = 0CC59E4B 046414A8 1C8A3BDF DCA92526 C48769DD 
A99B3632 D1913942 DE362EAF AA962379 374D9F3F 
A.8 521-bit Random ECP Group 
dA = 0113 F82DA825 735E3D97 276683B2 
D27335EA 71664AF2 430CC4F3 3459B966 9EE78B3F 
015D344D CBFEF6FB 9AF4C6C4 70BE2545 16CD3C1A 
x_gA = 01EB B34DD757 21ABF8AD C9DBED17 
65D90A7C 60F2CEFO O7BBOF2B 26E14881 FD4442E6 
DDO46EE3 0E3FFD20 F9A45BBD F6413D58 3A2DBF59 
y_qA = 00F6 B632D194 CO388E22 D8437E55 
95ADFD15 3F92D749 08351B2F 8C4EDA94 EDB0916D 
B5EECAED 1A5FC38A 233E4830 587BB2EE 3489B3B4 
dB = OOCE E3480D86 45A17D24 9F2776D2 
52D1791F DB4B70F7 C3378732 AA1B2292 8448BCD1 
35B01048 O66EBE4F 72903C36 1B1A9DC1 193DC2C9 
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4C804D0D 
47936F50 


65571C48 
DB9376F1 


F82054D1 
7A8B8C66 


94F4C3F0 
A1A1D128 


2C36A7DF 
8BCD94D2 


915359B4 
A1ABC120 


8COFA4D8 
F36755DE 


137D904C 
028ABCOE 


8D3127CA 
066841CA 


B74277BA 
FB9B8 683 
1FB47362 


889CBB97 
89D61CB2 
924FD35C 


8C552AE1 
1B53C020 
2A5A86A4 


8BAE6169 
DC2496D4 
D0891B96 
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x_qB 


y_qB 


Additional 


34BEEB1B 
E9F08B33 


010E 


Diffie-Hellman Groups 


BFAFC6E8 


5E08D24B 


6DEC8C59 
CE7E9FEE 


39AE4476 
BSBA4EES5 


6201 AF 62 
E0D81510 


36719A77 
D36863CC 


4368EB56 
2F845DAF 


614B865A 
AEOAF SAC 
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